Skip to main content

Android Testing

This guide covers Android application penetration testing. Where possible, I have included procedures for Android versions up to 15. I use rooted Pixel devices during any penetration testing engagments, as well as Corellium virtual device as needed.

Android Security

With each major Android release, Google updates the developer security guide. This guide describes the overall implementation of security features - both hardware and software - for the latest release. To fully understand the security features of Android, it is recommended that you read through the security guide.

The latest guide is located at: https://developer.android.com/topic/security/best-practices

OWASP Mobile Top 10 (2024)

Official Link

M1: Improper Credential Usage

M2: Inadequate Supply Chain Security

M3: Insecure Authentication/Authorization

M4: Insufficient Input/Output Validation

M5: Insecure Communication

M6: Inadequate Privacy Controls

M7: Insufficient Binary Protections

M8: Security Misconfiguration

M9: Insecure Data Storage

M10: Insufficient Cryptography

OWASP Mobile Testing Guide

Official Link

OWASP produces a very good mobile application penetration testing guide. It covers both Android & iOS, and is frequently updated. For a more complete guide of testing procedures, I highly recommend that you use the OWASP guide during any testing engagements!